A crypto mining campaign has been ongoing for years and is continuously evolving defense evasion tactics to stay undetected. The campaign is named Autom owing to the shell script that started the attack.

Autom malware campaigns

According to researchers, the campaign has been ongoing for the past three years and evolved to stay hidden. 
  • It was first detected in 2019 and since then 84 attacks have been discovered using the same shell script.
  • In 2020, cybercriminals were evading defense by bypassing security features and then started using an obfuscating script in 2021.
  • Attackers launched at least 125 attacks only in the third quarter of 2021.

Malware operations

The early attacks were executing a malicious command while running a vanilla image named as alpine:latest that eventually downloaded a shell script, autom[.]sh.
  • The command that was added to the official image to perform the attack has hardly changed in the past years. However, the shell script is now downloaded from a different server.
  • The shell script starts the attack, allows the attackers to create a new user account, (akay), and upgrade privileges to a root user for running arbitrary commands to mine cryptocurrency.

Evolution of the malware

The early attacks of the campaign in 2019 had no special obfuscating techniques, which it later developed.
  • The malware can disable security mechanisms and obtain an obfuscated mining shell script that was Base64-encoded around five times to avoid security tools.
  • Further, the attacker added concealment capabilities involving downloading log_rotate[.]bin script to launch cryptomining activity by creating a new cron job to start mining every 55 minutes.

Concluding notes

Threat actors driving the Autom campaign have displayed a high level of expertise in launching attacks while staying under the radar. Security teams must up their guards before such threats infect them.

Cyware Publisher